incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Possible validation security issue
Date Wed, 29 Aug 2012 18:43:35 GMT
Firstly, security issues (even suspected ones) should not be posted to a public mailing list
(use security@couchdb.apache.org)

Secondly, you ask "Shouldn't couchdb prevent the author field from being updated?"

The answer, of course is, "Yes, if a validate_doc_update function prevents it". Yours doesn't
but should.

B.

On 29 Aug 2012, at 19:28, Wordit wrote:

> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
> 
> function (newDoc, oldDoc, userCtx) {
>  if (newDoc.author) {
>    if(newDoc.author != userCtx.name) {
>      throw({"forbidden": "You may only update documents with author " +
>        userCtx.name});
>    }
>  }
> }
> 
> A user who is *not* newDoc.author will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
> 
> I've been testing this on iriscouch.com, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
> 
> db has two fields.
> author: usera
> text: my wonderful text
> 
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
> 
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
> 
> couch returns new _rev:4-567
> 
> Now the document belongs to userb, the text field can be updated.
> 
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
> 
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
> 
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
> 
> Can anyone confirm, and if this is correct, how can the document be secured?
> 
> Thanks,
> 
> Marcus


Mime
View raw message